Figure 3.12—Risk Treatment Contextualized for Probability and Impact
Source: ISACA, ISACA AAISM Official Review Manual, USA, 2025
Appropriate risk is the risk an enterprise takes in pursuit of its objectives. In other words, it is the risk necessary for an enterprise to deliver its services, achieve its goals, and comply with regulatory requirements. How an enterprise responds to risk is determined by the acceptable levels discussed in 3.4.2 Risk Appetite and Tolerance Levels.
Inappropriate risk is a category that does not align with the organization’s goals, does not produce a clear benefit, exceeds the defined risk appetite and tolerance criteria, and can result in potential harm to the organization’s brand, reputation, stakeholder trust, or legal responsibilities.
There are four commonly accepted risk treatment strategies (figure 3.12):
Figure 3.12—Risk Treatment Contextualized for Probability and Impact
Source: ISACA, ISACA AAISM Official Review Manual, USA, 2025
In AI development and use, the risk treatment options remain the same, with some additional considerations.
Risk acceptance is chosen when the cost (or complexity) of mitigating the risk outweighs the benefits of making changes, especially when the risk’s likelihood and potential impact are relatively low. Ways to ensure effective risk acceptance include:
When considering AI solutions, an example of AI risk acceptance is a financial institution that uses AI-powered fraud detection with a known false positive rate of 5%. Another example of risk acceptance is potential job loss resulting from the use of AI.
Risk avoidance involves making an informed decision against pursuing a given course of action due to the inability to efficiently or effectively bring the risk in line with the organization’s acceptable limits.
For instance, if an AI tool is found to have a high potential for violating fundamental human and privacy rights—beyond acceptable thresholds defined by regulations like the EU AI Act—the organization might decide not to deploy that tool at all.
Making this decision safeguards the organization by removing the risk from the equation. This decision is not made lightly or without a detailed assessment, as it means the organization may experience an opportunity loss.
An example of AI risk avoidance is a large multinational corporation considering the deployment of an AI-driven hiring system to automate candidate screening and rank candidates based on their suitability for the role. Due to the potential fines, penalties, and reputational damages resulting from automated discriminatory hiring practices performed by the AI, the corporation decides to avoid the risk and not deploy the AI tool.
In other cases, a non-AI tool may be found to be less risky and more suitable for the business problem.
Mitigation is the informed decision to lower the chance (probability) of a risk materializing, the likely resulting impact, or both. In most cases, this is accomplished through the use of controls. Careful selection of appropriate AI controls ensures that risk is managed to acceptable levels. See 3.11 AI Control Selection and Validation for more information.
For example, if an AI system for loan approvals makes biased decisions based on unbalanced training data, the organization can:
The organization must make an informed decision to proactively effect appropriate changes, thus reducing the probability that the risk will manifest itself or minimizing the potential harm to a user if it does.
For example, a healthcare provider implements an AI-driven medical diagnosis system to assist doctors in identifying diseases based on patient data. The AI model occasionally misdiagnoses certain conditions, especially rare diseases. The healthcare provider mitigates the risk by keeping doctors in control of the final diagnosis, ensuring transparency, and continuously improving the AI’s performance.
Figure 3.13 provides an overview of potential mitigation strategies for common AI threats.
Figure 3.13—AI Threat Mitigations
| Threat Category | AI-related Threats | Potential Mitigations |
|---|---|---|
| Advanced threats | Model backdoor attack |
|
| Automated threats and AI-augmented attacks | Exploit development; Autonomous attacks |
|
| Availability and reliability risk | Model drift |
|
| Bias and fairness | Bias amplification |
|
| Brand and reputational risk | Scandals |
|
| Compliance and regulatory risk | Explainability failures |
|
| Consumer distrust | Deception concerns |
|
| Content authenticity and fake media | Deepfakes |
|
| Cryptographic and integrity threats | Model watermarking attacks |
|
| Customer experience and usability challenges | AI usability challenges |
|
| Cybercrime | Autonomous attacks |
|
| Data security | Model inversion |
|
| Denial of service (DoS) | Adversarial attacks |
|
| Dependency | AI overreliance |
|
| Emerging AI-specific risk | Hallucinations |
|
| Environmental and sustainability concerns | Power consumption; Water consumption |
|
| Ethical concerns | Ethical boundaries; Hallucinations |
|
| Global geopolitical and trade restrictions | Export controls |
|
| Human factors and insider threats | Unintentional bias amplification; Backdoors; Insecure design |
|
| Human-machine collaboration challenges | Trust issues |
|
| Identity and authentication threats | Deepfakes |
|
| Legal risk | Legal violations |
|
| Malware and exploits | Data poisoning |
|
| Market manipulation and abuse | Market manipulation |
|
| Model and algorithm-specific risk | Model stealing via application programming interface (API) queries |
|
| Operational costs and financial risk | Compute costs |
|
| Privacy and data integrity | Model poisoning |
|
| Privacy perception | AI-specific privacy concerns |
|
| Regulatory and compliance risk | AI-specific regulations |
|
| Rogue AI behavior | AI unpredictability |
|
| Social engineering | Social engineering campaigns |
|
| Societal and cultural issues | Societal manipulation |
|
| Software vulnerabilities | Model extraction |
|
| Staff competencies | Skill gaps |
|
| Strategic misalignment | AI hype adoption |
|
| Supply chain and third-party risk | Data supply chain attacks |
|
| Transparency and explainability | Black box problem |
|
| Unauthorized access | Theft of services; Prompt injection |
|
| Workforce impact | Job displacement |
|
Source: ISACA, ISACA AAISM Official Review Manual, USA, 2025
Risk is never zero, and AI is no exception. Model outputs can always have some degree of inaccuracy, even with human oversight. Conformity assessments (see 3.5.3 Conformity Assessments) can aid in assessing if AI-embedded products meet regulatory and compliance standards and help enterprises determine what residual risk remains after testing.161
Figure 3.14 shows an example for calculating residual risk in products with embedded AI.
Ethical and human rights considerations add an extra level of complexity to residual risk. Laws, such as the EU AI Act, require impacts to humans to be “acceptable,” which can be interpreted in many ways by different organizations.162 Enterprises should do their due diligence to define what “acceptable” residual risk to humans is, especially with regard to applicable regulations, including reassessing residual AI risk periodically as models, data, and operational contexts evolve, since new or amplified risk may surface after deployment. See Part F: AI Trustworthiness, Ethical, and Societal Implications for more information.
Figure 3.14—Calculating Residual Risk for AI-embedded Products
Source: Nikonov, V.; “Risks of Products with Embedded AI: (Why) Do They Cause Harm? What to Test and How to Test?,” link
There are times when the risk impact may exceed the organization’s appetite, but there is still value to be gained. After careful analysis, an organization may discover that the probability of an event occurring is low, but not so low that the enterprise is willing to fully accept the risk. Additionally, value and benefits diminish significantly if the risk is mitigated to bring it into alignment with the enterprise’s risk appetite. In this case, the enterprise may decide to “share” a portion of this risk, typically through a financial arrangement, should that risk materialize. This is known as risk transfer (or sharing).
Types of risk sharing include:
An example of risk transfer/share is a car manufacturer developing an AI-powered system for autonomous vehicles. The AI system cannot guarantee a nonzero risk of accidents due to unpredictable road conditions. Instead of fully bearing the liability for AI-driven accidents, the manufacturer transfers risk to insurers.
The rapid adoption of AI technologies has led to many insurers reevaluating if the risk associated with their use is covered under existing policies. As stated, many areas of AI risk are not unique to AI, such privacy violations, product liability, etc.163 However, questions remain as to who is legally liable for harms caused by AI decisions, leading many carriers to create AI exclusions in their policies. Others are creating policies specifically geared toward losses and risk associated with AI and gaps in current insurance coverage.164 A key unresolved issue remains the assignment of liability when AI causes harm: whether responsibility lies with the developer, deployer, or user. Organizations should track evolving regulatory and case law guidance in this area.
Subrogation is another area that is being evaluated with the rise of AI solutions. Subrogation is the right of insurance carriers to recover losses from a third party responsible for those losses.165 As with other areas of insurance, there are questions around who is responsible for losses associated with AI harms. AI-specific policies may help to define obligations, especially as subrogation claims related to AI risk are investigated.166